Every day, your organization provides products or services to customers locally and around the world. Your accounting department is processing credit card information to complete sales transactions to bring in profits to your organization, or you may be a payment processor that helps other companies with their credit card transactions. Any business involved with the collection, storage, transmission, and use of credit cardholder information must follow the Payment Card Industry (PCI) Data Security Standard (DSS) developed by the PCI Security Standards Council to safeguard cardholder information to prevent theft, fraud and misuse.
Periodically, the PCI Security Council will issue revisions and updates to these standards to further clarify and increase payment security measures that merchants, credit card issuers, payment processors and other organizations institute in their operations. At the end of April 2016, PCI DSS version 3.2 was scheduled for release as it updated some of the provisions in PCI V3.1. Understanding the updates that were introduced, what they mean to your business operations, and the time period in which the update will become effective will help your organization prepare and stay in compliance to the requirements.
PCI V3.2 Updates to Multi-Factor Authentication
The accessing of cardholder information only by authorized personnel has been the biggest issue organizations faced around the world. In the past, PCI DSS addressed the need for multi-factor authentication for untrusted entities using remote access to enter cardholder data environments. The PCI V3.2 update now requires for there to be multi-factor authentication for any administrative staff using local access to these same cardholder data environments.
This update is designed to further prevent unauthorized access being made from outside of your organization as well as inside the organization from administrative personnel who are only using one form of authentication to enter the cardholder data environment. The name “two-factor authentication” was changed to “multi-factor authentication” for more consistent wording and to encourage organizations to use two or more authentication methods no matter where the administrative personnel are located.
PCI V3.2 Updates to Designated Entities Supplemental Validation (DESV)
The Designated Entities Supplemental Validation (DESV) provides credit card service providers a set of criteria to manage ongoing security issues and oversight programs. These requirements are designed to increase the protection of payments as it establishes how to scope the environment, establish security measures to instantly detect failures in security control systems, provide timely alerts to these failures, and address the development of compliance program oversight to ensure all security processes are operating as desired.
The DESV criteria were always present within earlier versions of PCI DSS as these requirements may have been expanded on or revised. In the PCI V3.2, the DESV requirements will be consolidated into an appendix in this standard to allow for your organization to review the criteria and decide whether to incorporate the requirements into your best practices voluntarily. For some organizations, it is mandatory to undergo a DESV assessment as requested by a credit card brand or issuer.
Additional PCI V3.2 Updates
There are also additional updates to be aware of in PCI V3.2 that may influence your security programs for cardholder data. While all the details of the PCI V3.2 are still being released, here are several key factors that your organization should take note of for your security programs and controls.
1: In December 2015, the PCI Data Security Council introduced migration dates for organizations to move away from Secure Sockets Layer (SSL) and early Transport Layer Security (TLS). In the PCI V3.2, there are appendices to help your organization with the migration reporting efforts.
2: Service providers are coming under greater scrutiny over the effectiveness of their security management processes for their cardholder data environment. Executive management must establish responsibility measures for compliance programs and cardholder data protection. They must also have a documented description for their cryptographic architecture, and maintain reports of failures that have occurred to critical security control systems.
3: There will be additional criteria to clarify the display of primary account holder card numbers. The rules will further talk about masking account numbers as the criteria is being developed to accommodate the coming changes that will take place for card number standards.
When PCI V3.2 Takes Effect
With the rollout of the PCI V3.2 updates in the latter part of April 2016, the standard is currently considered best practices up to January 30, 2018. In February 2018, PCI V3.2 will become requirements for organizations that gather, store, manage and transmit credit card data.
If your organization is currently performing assessments using the later version of PCI V3.1, all assessments — including the Self-Assessment Questionnaires (SAQ) — can still be completed as phase-out begins during the next 6 months. By October 2016, the PCI V3.1 standard will be officially retired. You should then begin using the PCI V3.2 standards for your organization’s assessments.
Getting Your Organization Ready for PCI V3.2
For some organizations, PCI V3.2 will be a mandatory standard for validating their critical security control systems. Although it might not be mandatory for your organization, you can still will evaluate the standards and see if the criteria can improve your security measures and controls for protecting cardholder data. Having an independent audit of your organization’s controls, management systems and policies will allow you to discover any issues or gaps in your security procedures and give you advice on how to increase existing data security methods.
By having such assessments performed, you will have a clearer understanding about how your organization gathers, stores, uses and transmits cardholder data, how employees access this data, and what types of security measures should be in place. Then you can further incorporate PCI V3.2 throughout your organization’s data security policies and procedures to prevent lost and stolen data. If you are looking for a third-party auditing company to perform PCI DSS IT assurance assessments, contact I.S. Partners, LLC at 215-675-1400 or request a PCI Quote here.